[00:00.000 --> 00:03.120]  So let's officially start.
[00:03.120 --> 00:11.300]  And let me welcome you to the 2020 Ethics Village.
[00:11.440 --> 00:14.540]  It's always lovely to see you.
[00:14.540 --> 00:17.660]  Privacy and Civil Liberties Oversight Board Member,
[00:17.660 --> 00:20.980]  Travis LeBlanc, that's a mouthful.
[00:21.820 --> 00:25.260]  Given that we are, as everyone knows,
[00:25.260 --> 00:29.200]  we are all in the midst of a worldwide pandemic,
[00:29.200 --> 00:31.540]  we're doing this virtually this year,
[00:31.540 --> 00:34.400]  obviously would love to see you in person
[00:34.400 --> 00:38.100]  and be having this conversation live in Vegas,
[00:38.100 --> 00:43.920]  but we will make do with technology and see where we go.
[00:44.560 --> 00:47.920]  So let me give a brief introduction of who you are,
[00:47.920 --> 00:51.880]  and then we'll jump right into questions.
[00:52.220 --> 00:55.420]  So Travis LeBlanc is a board member
[00:55.420 --> 00:58.780]  of the Privacy and Civil Liberties Oversight Board,
[00:58.780 --> 01:03.660]  and before he was confirmed to what is known as the PCLOB,
[01:03.660 --> 01:05.460]  the acronym for the board,
[01:05.960 --> 01:08.780]  he was appointed by the US Department of Commerce
[01:08.780 --> 01:11.660]  and the European Commission to serve as an arbiter
[01:11.660 --> 01:16.100]  under the EU-US Privacy Shield Framework.
[01:16.700 --> 01:20.420]  Because the way that the PCLOB is set up,
[01:20.420 --> 01:23.200]  only the chair of the PCLOB
[01:23.200 --> 01:27.080]  is a full-time employee, so to speak,
[01:27.080 --> 01:28.640]  it means that everybody else
[01:29.440 --> 01:33.800]  generally has other full-time jobs, which you do.
[01:33.800 --> 01:35.820]  You're a partner at Cooley,
[01:35.820 --> 01:37.560]  where you're on the management team
[01:37.560 --> 01:40.260]  of Cooley's litigation department,
[01:40.260 --> 01:42.760]  and you've also served as vice chair
[01:42.760 --> 01:47.200]  of Cooley's cyber, data, and privacy practice.
[01:47.220 --> 01:50.860]  And Travis is a leading authority on cybersecurity,
[01:50.860 --> 01:53.300]  data privacy, telecommunications,
[01:53.300 --> 01:58.240]  and the regulation of emerging and disruptive technologies.
[01:58.240 --> 02:00.760]  Now, before all of that,
[02:01.560 --> 02:05.300]  Travis was chief of the FCC,
[02:05.300 --> 02:09.040]  Federal Communication Commission's Enforcement Bureau
[02:09.040 --> 02:11.320]  during the Obama administration,
[02:11.320 --> 02:15.080]  where he spearheaded hundreds of enforcement actions
[02:15.080 --> 02:18.440]  involving consumer issues such as false advertising
[02:18.440 --> 02:22.400]  and the Telephone Consumer Privacy Act,
[02:22.400 --> 02:25.520]  unfair competition, regulatory compliance,
[02:25.520 --> 02:30.500]  and fraud, waste, and abuse of government programs.
[02:30.500 --> 02:35.480]  And of note, especially for this conference,
[02:35.480 --> 02:40.720]  he brought the first data security action by the FCC,
[02:40.720 --> 02:44.920]  and he led enforcement actions resulting in fines
[02:44.920 --> 02:49.060]  together totaling over $100 million,
[02:49.060 --> 02:54.290]  which I think was a record for the FCC's Enforcement Bureau.
[02:55.090 --> 03:03.440]  And before all of that, Travis was a senior advisor
[03:03.770 --> 03:09.460]  to former California Attorney General Kamala D. Harris
[03:09.750 --> 03:13.060]  and a Special Assistant Attorney General of California,
[03:13.190 --> 03:16.840]  where he oversaw California's complex litigation
[03:17.200 --> 03:21.680]  and policy in areas such as technology regulation,
[03:21.680 --> 03:24.900]  high-tech crime, cybersecurity, privacy,
[03:24.900 --> 03:29.540]  intellectual property, antitrust, and telecommunications.
[03:29.960 --> 03:32.640]  Indeed, he created the Privacy Unit
[03:32.640 --> 03:34.840]  that is responsible for enforcement
[03:34.840 --> 03:37.240]  of California's Privacy Act
[03:37.540 --> 03:41.560]  and created California's E-Crime Unit,
[03:41.560 --> 03:44.220]  which has the primary mission of investigating
[03:44.220 --> 03:49.060]  and prosecuting multi-jurisdictional criminal organizations,
[03:49.060 --> 03:52.920]  networks, and groups that perpetrate identity theft crimes,
[03:52.920 --> 03:57.420]  use an electronic device or network to facilitate a crime
[03:57.420 --> 04:01.960]  or commit a crime targeting an electronic device,
[04:01.960 --> 04:04.480]  network, or intellectual property.
[04:04.480 --> 04:06.420]  And before all of that,
[04:06.420 --> 04:08.840]  he served during the Obama administration
[04:09.350 --> 04:13.300]  as an attorney advisor in the U.S. Department of Justice's
[04:13.300 --> 04:15.220]  Office of Legal Counsel,
[04:15.220 --> 04:17.760]  which advises the President, Attorney General,
[04:17.760 --> 04:21.060]  and executive branch agencies on the constitutionality
[04:21.060 --> 04:23.540]  and legality of the programs and activities
[04:23.540 --> 04:25.280]  of the U.S. government.
[04:25.280 --> 04:27.080]  So welcome.
[04:28.220 --> 04:34.700]  I'm first gonna focus a bit on your current role
[04:34.700 --> 04:38.140]  as a member of the Privacy and Civil Liberties Oversight Board
[04:38.140 --> 04:42.280]  and ask you, for those watching who may not be familiar
[04:42.660 --> 04:45.540]  with what the PCLOB is and does,
[04:45.540 --> 04:47.840]  whether, could you please give us a little background
[04:47.840 --> 04:50.460]  about the board and the projects
[04:50.460 --> 04:53.680]  that the board has been working on of late?
[04:53.920 --> 04:55.860]  Well, thank you, Stephanie,
[04:55.860 --> 04:58.760]  for that very kind introduction.
[04:58.760 --> 05:01.340]  I also want to thank the Ethics Village
[05:01.340 --> 05:05.540]  for having me join you all virtually this year at DEFCON.
[05:05.540 --> 05:08.440]  I was in Vegas last August
[05:10.280 --> 05:15.200]  and was around DEFCON as it was taking place
[05:15.200 --> 05:17.180]  and got to really see a lot of good friends
[05:17.180 --> 05:20.440]  who I will miss seeing, not being able to see,
[05:20.440 --> 05:22.880]  at least in person, this year.
[05:23.120 --> 05:25.820]  Listening to you talk about my background, Stephanie,
[05:25.820 --> 05:28.040]  you definitely made me feel like an old man
[05:28.790 --> 05:32.620]  because there are a lot of years that are there going back,
[05:32.620 --> 05:35.840]  but that's okay, that is A-okay.
[05:36.280 --> 05:38.900]  Maybe it's just that you've done so many things
[05:38.900 --> 05:42.300]  in a short period of time, one could look at it that way.
[05:42.340 --> 05:44.160]  That's where all my hair went.
[05:44.160 --> 05:46.500]  That's the explanation for it.
[05:46.840 --> 05:50.900]  Look, I'm thrilled to be here and to share with folks
[05:50.900 --> 05:53.160]  some of the work that we're doing at the PCLOB.
[05:53.160 --> 05:55.260]  The Privacy and Civil Liberties Oversight Board
[05:55.260 --> 06:00.340]  is an independent agency within the executive branch.
[06:00.340 --> 06:01.940]  It was created out of a recommendation
[06:01.940 --> 06:04.980]  from the 9-11 Commission,
[06:04.980 --> 06:08.820]  which, as you all probably may recall,
[06:08.820 --> 06:12.840]  one of the main challenges that the U.S. faced around 9-11
[06:12.840 --> 06:15.280]  was the lack of intelligence sharing
[06:15.810 --> 06:19.860]  between the intelligence community and law enforcement.
[06:20.180 --> 06:23.900]  That resulted in a host of new authorities
[06:23.900 --> 06:30.380]  that built in a number of surveillance tools
[06:30.380 --> 06:34.800]  that could be used by the United States government
[06:34.800 --> 06:38.820]  to help prevent another terrorist attack in the future.
[06:38.820 --> 06:40.880]  Well, along with those surveillance authorities
[06:40.880 --> 06:43.580]  was a desire to ensure that the privacy
[06:44.200 --> 06:46.700]  and civil liberties of U.S. persons
[06:46.700 --> 06:51.780]  was being balanced against the use of those authorities
[06:51.780 --> 06:54.580]  to protect the nation from terrorism.
[06:54.580 --> 06:58.020]  The board is run by five members
[06:58.940 --> 07:00.960]  that are all appointed by the president
[07:00.960 --> 07:03.860]  and confirmed by the United States Senate.
[07:03.860 --> 07:09.580]  Three are always members of the party of the president.
[07:09.580 --> 07:11.740]  So currently the majority of the board,
[07:11.740 --> 07:14.500]  three members are Republicans,
[07:14.500 --> 07:17.040]  and then two are Democrats.
[07:17.040 --> 07:21.380]  I'm one of the Democratic members of the PCLOB.
[07:21.980 --> 07:25.100]  As Stephanie mentioned, the chairman is full-time,
[07:25.100 --> 07:28.680]  but the other four members are all part-time members,
[07:28.680 --> 07:31.440]  which means we balance our work at the board
[07:31.440 --> 07:38.440]  with employment outside of the government.
[07:38.440 --> 07:42.100]  In my instance, I'm a partner at a law firm, Cooley,
[07:42.680 --> 07:46.820]  and I have been on the board since last year.
[07:46.820 --> 07:51.960]  We are in the process of reviewing several projects,
[07:51.960 --> 07:55.160]  but our jurisdiction primarily extends
[07:55.160 --> 07:56.860]  to the programs and activities
[07:56.860 --> 08:01.440]  that are meant to protect the nation against terrorism.
[08:01.800 --> 08:03.840]  Much of the work that we do is classified.
[08:03.840 --> 08:07.380]  We all have security clearances at the highest level
[08:07.380 --> 08:10.740]  and are not prevented from gaining access
[08:10.740 --> 08:14.400]  to any information because it is classified.
[08:14.400 --> 08:17.020]  Our work generally breaks into two buckets.
[08:17.020 --> 08:22.120]  One bucket is advice, and the other bucket is oversight.
[08:22.240 --> 08:25.480]  With respect to advice, we are generally in the capacity
[08:25.480 --> 08:30.160]  of being asked by a component of the intelligence community
[08:30.670 --> 08:34.400]  about a program or activity that they are engaging in
[08:34.400 --> 08:38.960]  or are seeking to engage in about the extent
[08:38.960 --> 08:41.220]  to which the program could better protect
[08:41.220 --> 08:45.860]  or does protect privacy and civil liberties of U.S. persons.
[08:45.860 --> 08:49.880]  Those advice projects, we typically do not publicize
[08:49.880 --> 08:52.160]  in part because they're often classified,
[08:52.160 --> 08:55.160]  but also in part because we like to incentivize
[08:55.160 --> 08:58.820]  the intelligence community to seek out our counsel
[08:58.820 --> 09:03.340]  and have a little bit of independent advice
[09:03.340 --> 09:05.640]  being provided to them about ways
[09:05.640 --> 09:07.300]  that they can improve the privacy
[09:07.300 --> 09:09.840]  and civil liberties protections of the programs
[09:09.840 --> 09:12.400]  and activities of those components.
[09:12.400 --> 09:15.080]  The second bucket is our oversight project.
[09:15.080 --> 09:18.480]  And this is where we often will elect
[09:18.480 --> 09:22.040]  to look at particular programs
[09:22.040 --> 09:23.500]  or activities of the government,
[09:23.500 --> 09:25.600]  and decide which ones are worthy
[09:25.600 --> 09:29.020]  of having the PCLOB's independent oversight.
[09:29.020 --> 09:32.640]  We have several of those that are ongoing right now,
[09:32.640 --> 09:36.520]  but we've just recently finished up a review
[09:36.520 --> 09:40.060]  of the National Security Agency,
[09:40.060 --> 09:45.060]  the NSA's program to collect call detail records,
[09:45.060 --> 09:48.060]  which you may hear me refer to as CDRs.
[09:48.060 --> 09:51.480]  But essentially, the NSA, for many years,
[09:51.480 --> 09:56.700]  operated a program where it collected large scale metadata
[09:57.960 --> 10:02.440]  about telephone calls, primarily outside of the,
[10:02.440 --> 10:06.140]  made to numbers outside of the United States,
[10:06.140 --> 10:08.480]  but there were ways in which it could catch calls
[10:08.480 --> 10:11.340]  within the United States.
[10:11.340 --> 10:15.520]  We found in our report that this program was ineffective,
[10:15.520 --> 10:18.620]  that it was needlessly intrusive
[10:18.620 --> 10:22.380]  into the privacy and civil liberties of U.S. persons,
[10:22.380 --> 10:24.820]  and that it was extremely expensive.
[10:24.820 --> 10:29.900]  In the few years that it operated, since 2015,
[10:30.400 --> 10:34.180]  the program cost about $100 million.
[10:34.700 --> 10:38.560]  And for that $100 million, where they collected
[10:39.660 --> 10:44.840]  a very, very, very large number of details
[10:44.840 --> 10:47.220]  about telephone calls,
[10:47.220 --> 10:51.560]  the NSA produced 15 intelligence reports.
[10:51.560 --> 10:54.360]  Of those 15 intelligence reports,
[10:54.360 --> 10:57.060]  the Federal Bureau of Investigation, the FBI,
[10:57.060 --> 10:59.420]  concluded that only two had information
[10:59.420 --> 11:01.060]  the FBI was unaware of.
[11:01.060 --> 11:04.300]  So for years in collecting a massive number
[11:04.300 --> 11:08.320]  of calls by U.S. persons,
[11:08.920 --> 11:12.760]  there were only 15 reports that were generated from this.
[11:12.760 --> 11:14.280]  It was sort of shooting, you know,
[11:14.280 --> 11:17.620]  it was literally looking for a needle in a haystack
[11:17.620 --> 11:19.520]  to try and find something.
[11:19.560 --> 11:23.280]  There were also numerous compliance incidents
[11:23.280 --> 11:26.980]  and data integrity concerns with the program as well,
[11:26.980 --> 11:30.840]  so much so that a little over a year ago,
[11:30.840 --> 11:32.960]  the NSA decided on its own
[11:32.960 --> 11:35.260]  that it should shut the program down.
[11:35.260 --> 11:39.780]  And we certainly concurred in that decision
[11:39.780 --> 11:43.020]  and put out a report to improve transparency
[11:43.700 --> 11:46.960]  into how this program had operated.
[11:46.960 --> 11:49.320]  In my view, it was the digital equivalent
[11:49.320 --> 11:51.240]  of the bridge to nowhere.
[11:51.300 --> 11:55.220]  The NSA has deleted all of the records associated with it
[11:55.220 --> 11:59.200]  and the authority for the program has now expired.
[11:59.460 --> 12:03.460]  We're doing, in addition to the CDR project,
[12:03.460 --> 12:05.280]  we have several ongoing projects
[12:05.280 --> 12:07.320]  that we're working on right now.
[12:07.660 --> 12:10.120]  A few examples of those are,
[12:10.120 --> 12:13.620]  we're looking at the use of open source intelligence
[12:13.620 --> 12:16.340]  by the Federal Bureau of Investigation, right?
[12:16.340 --> 12:17.540]  Essentially gaining access
[12:17.540 --> 12:19.260]  to commercially available databases
[12:19.260 --> 12:22.160]  or how they might mine social media
[12:22.160 --> 12:27.940]  or other open source materials for investigatory purposes.
[12:27.940 --> 12:30.720]  We are looking at the terrorist watch lists
[12:31.320 --> 12:33.180]  that are out there and, you know,
[12:33.180 --> 12:34.840]  sort of standards around who gets on them,
[12:34.840 --> 12:36.780]  how you get on them, how you get off them,
[12:36.780 --> 12:38.440]  you know, what protections are in place
[12:38.440 --> 12:40.860]  to protect privacy and civil liberties.
[12:40.860 --> 12:44.640]  We're looking at a Department of Treasury program,
[12:44.640 --> 12:47.180]  the Terrorist Finance Tracking Program,
[12:47.180 --> 12:49.780]  as well to examine that.
[12:49.780 --> 12:55.820]  And then we are looking at a program operated by DHS,
[12:55.820 --> 12:57.500]  the Department of Homeland Security,
[12:57.500 --> 13:01.480]  looking at biometrics and the use of biometrics in airports.
[13:01.480 --> 13:04.340]  As many of you may be aware,
[13:04.340 --> 13:06.340]  the Department of Homeland Security
[13:06.340 --> 13:12.560]  uses a series of biometric collection tools in airports,
[13:12.560 --> 13:15.280]  you know, everything from fingerprints
[13:16.100 --> 13:19.860]  to facial recognition technology.
[13:19.860 --> 13:22.680]  Our project definitely has a huge focus
[13:22.680 --> 13:24.720]  on facial recognition technology
[13:24.720 --> 13:29.060]  and it's used by the Transportation Security Administration,
[13:29.060 --> 13:31.620]  by Customs and Border Protection,
[13:31.620 --> 13:34.700]  and by airlines and others
[13:35.060 --> 13:37.480]  to sort of examine right now
[13:37.480 --> 13:39.900]  what is mostly a pilot program,
[13:39.900 --> 13:44.780]  but that DHS certainly anticipates rolling out long-term
[13:44.780 --> 13:47.460]  at all entry and exit points
[13:47.920 --> 13:50.620]  in the United States going forward.
[13:50.620 --> 13:52.040]  So that, Stephanie, is, you know,
[13:52.040 --> 13:53.260]  that's a lot of information
[13:53.260 --> 13:55.120]  about some of the work that we're doing.
[13:55.120 --> 13:57.820]  I definitely did not share everything,
[13:57.820 --> 14:03.060]  but hopefully that answers the initial question.
[14:03.060 --> 14:06.460]  Absolutely. You've given a lot to talk about.
[14:06.460 --> 14:09.580]  And so let me just dig a little further
[14:09.580 --> 14:13.620]  into two specific things that you mentioned.
[14:14.160 --> 14:17.860]  The report that this PCLOB produced
[14:17.860 --> 14:21.220]  on the Called Detail Records Program,
[14:21.220 --> 14:26.820]  this, of course, isn't the first time the PCLOB,
[14:26.820 --> 14:29.000]  under different members, I should say,
[14:29.000 --> 14:32.540]  looked at the Called Detail Records Program.
[14:32.920 --> 14:36.360]  One of the things that caught my eye
[14:36.360 --> 14:40.940]  about the current board's evaluation of this program
[14:40.940 --> 14:45.140]  is you all were really able to shed light
[14:45.140 --> 14:47.760]  on the cost of this program
[14:47.760 --> 14:51.000]  versus the efficacy, the results.
[14:51.000 --> 14:55.760]  And I think you really illuminated
[14:55.760 --> 15:00.780]  for perhaps the federal government
[15:00.780 --> 15:03.860]  and certainly the public that, you know,
[15:03.860 --> 15:06.000]  one of the things that needs to be considered
[15:06.000 --> 15:08.440]  is whether we're really getting a bang for our buck
[15:08.440 --> 15:10.660]  with these kinds of programs.
[15:10.820 --> 15:20.280]  So were you surprised at how expensive this program was
[15:20.280 --> 15:25.740]  versus kind of the limited end product that it produced?
[15:26.140 --> 15:28.880]  Oh, I definitely was surprised about the disparity.
[15:28.880 --> 15:31.360]  I mean, when I saw 15 reports,
[15:31.360 --> 15:34.200]  and I know everything that had to go into operating this program,
[15:34.200 --> 15:36.200]  I knew it was extremely expensive.
[15:36.200 --> 15:37.980]  And, you know, as you may be aware,
[15:37.980 --> 15:41.520]  under the statutory authority that was available to the NSA,
[15:41.520 --> 15:44.660]  they had the ability to pay telecommunications carriers
[15:44.660 --> 15:48.160]  to actually participate in the program.
[15:48.160 --> 15:53.540]  And so, you know, that is an expensive endeavor as well that's involved.
[15:53.540 --> 15:57.120]  So it was very important to me that we understand the cost of the program,
[15:57.120 --> 16:01.860]  because as we are evaluating, you know, the impact on privacy and civil liberties,
[16:01.860 --> 16:04.820]  we ought to compare that to the effectiveness of the program
[16:04.820 --> 16:07.300]  and also the cost of the program.
[16:07.300 --> 16:11.040]  You know, a billion dollars to intrude into people's privacy and civil liberties
[16:11.040 --> 16:14.480]  and get almost nothing from it is, you know,
[16:14.480 --> 16:19.100]  is not really worth, you know, the program in terms of advising Congress,
[16:19.100 --> 16:22.220]  you know, about whether or not the program should be extended
[16:22.220 --> 16:25.500]  or advising the executive branch about whether or not it should be ended.
[16:25.500 --> 16:28.800]  So I do believe that it is critical that we have an understanding
[16:28.800 --> 16:31.480]  of just how much these programs cost
[16:31.480 --> 16:36.980]  so that we can really weigh the benefit of the programs against the expenses
[16:36.980 --> 16:41.540]  to not only the privacy and civil liberties, but also to the public fisc.
[16:42.280 --> 16:44.900]  So in agreeing with you on that point,
[16:44.900 --> 16:48.400]  I should have said at the beginning that my name is Stephanie Pell.
[16:48.400 --> 16:52.440]  I'm a professor at West Point, but anything that comes out of my mouth,
[16:52.440 --> 16:54.800]  although this interview is about your views,
[16:54.800 --> 16:58.540]  but anything that happens to come out of my mouth are my views
[16:58.540 --> 17:03.160]  and do not represent the views of the Army, West Point,
[17:03.160 --> 17:05.140]  or the federal government at large.
[17:05.140 --> 17:08.300]  So anyway, but I agree with you.
[17:09.360 --> 17:14.280]  So moving on, you mentioned an ongoing project
[17:14.280 --> 17:23.080]  where the P-CLOB is looking at DHS's use of biometric technologies in airports.
[17:23.080 --> 17:30.440]  I'd like to broaden the biometric technology discussion a little further with you
[17:30.440 --> 17:36.980]  and just recall the story that many of us have read
[17:36.980 --> 17:41.260]  in the Washington Post about a man named Robert Williams,
[17:41.260 --> 17:46.320]  who is an African-American man who was arrested at his home in front of his children
[17:46.320 --> 17:50.700]  and held for a night in jail due to a misidentification
[17:51.400 --> 17:55.140]  based on a facial recognition algorithm.
[17:55.140 --> 17:59.440]  So in other words, he was arrested based on this misidentification
[17:59.440 --> 18:05.820]  for a crime he did not commit and was held in jail overnight.
[18:06.540 --> 18:12.360]  And I would say that unfortunately, as horrible as this was,
[18:12.360 --> 18:16.280]  we shouldn't be terribly surprised as we've known for some time
[18:16.280 --> 18:22.220]  that facial recognition technologies disproportionately misidentify
[18:23.180 --> 18:25.940]  people of color and women.
[18:26.080 --> 18:30.080]  So how would you address the disparate impact
[18:30.080 --> 18:34.160]  that facial recognition technologies have on communities of color
[18:34.160 --> 18:38.440]  and more broadly, what concerns do you have
[18:38.440 --> 18:43.120]  about how the U.S. government collects and uses information
[18:43.120 --> 18:46.200]  produced by biometric technologies?
[18:46.960 --> 18:50.040]  We all know and have known for a very long time
[18:50.040 --> 18:55.040]  that facial recognition technology has a propensity
[18:55.040 --> 18:58.560]  to misidentify people of color and women.
[18:58.560 --> 19:01.300]  There are numerous studies on this.
[19:01.300 --> 19:07.840]  In 2018, the MIT Media Lab produced a study that found
[19:07.840 --> 19:12.920]  that there was an inability of facial recognition algorithms
[19:12.920 --> 19:19.560]  to identify or misidentify people of color.
[19:19.560 --> 19:26.900]  Last year, the NIST, which is a federal government agency,
[19:26.900 --> 19:32.020]  put out a report looking at 200 facial recognition algorithms
[19:32.020 --> 19:39.860]  and finding evidence of bias along issues of skin color.
[19:41.300 --> 19:45.880]  There was bound to be a time, if not many times that have happened,
[19:45.880 --> 19:50.060]  but one that we now know of, where a person of color would be
[19:50.060 --> 19:53.620]  misidentified by a facial recognition algorithm.
[19:53.620 --> 19:56.000]  I refer to these as race breaches.
[19:56.000 --> 20:02.440]  This is essentially a breach that is taking place in the algorithm.
[20:02.740 --> 20:08.360]  I think that going forward, if the government is going to rely
[20:08.360 --> 20:13.080]  upon facial recognition technology, it has a responsibility,
[20:13.420 --> 20:17.760]  a duty, to ensure that people of color, women,
[20:17.760 --> 20:24.360]  are not disproportionately misidentified or adversely impacted
[20:24.360 --> 20:27.900]  by these particular technologies.
[20:28.220 --> 20:32.620]  Part of that is by making sure that before any facial
[20:32.620 --> 20:36.680]  recognition technology is deployed, that the government
[20:36.680 --> 20:41.560]  or any public authority has given a real strong consideration
[20:41.560 --> 20:46.060]  to the impact that this particular algorithm will have
[20:46.060 --> 20:50.700]  in this particular use case on communities of color.
[20:50.700 --> 20:53.680]  That means really beginning to think about not just
[20:53.680 --> 20:58.160]  does this particular program impact privacy and civil liberties,
[20:58.160 --> 21:02.580]  but recognizing when that impact disproportionately impacts
[21:03.080 --> 21:06.080]  a particular community and ensuring that the government
[21:06.080 --> 21:10.560]  is taking mitigating steps or taking any steps to remediate
[21:10.560 --> 21:12.840]  that disproportionate impact.
[21:12.840 --> 21:15.660]  It's about making sure that when we are thinking about
[21:15.660 --> 21:22.020]  the deployment of a technology like a facial recognition technology,
[21:22.020 --> 21:24.020]  that we're thinking about equality.
[21:24.040 --> 21:27.040]  And that from the beginning, we are building in place
[21:27.040 --> 21:31.760]  protections that are designed to ensure that these programs
[21:31.760 --> 21:35.300]  do not operate in a manner that disproportionately
[21:35.300 --> 21:39.200]  impacts people of color. I call this equality by design.
[21:39.200 --> 21:42.280]  Many people may be familiar with the concept of privacy by design.
[21:42.280 --> 21:45.180]  That is building privacy into a new product
[21:45.180 --> 21:48.540]  so that it respects it from the beginning and doesn't collect
[21:48.540 --> 21:51.780]  any more information, for example, than it needs to.
[21:51.780 --> 21:54.380]  Well, we ought to do the same thing around civil rights concerns.
[21:54.380 --> 21:58.280]  We ought to build equality into the very design of the product
[21:58.280 --> 22:02.660]  from the beginning so that ultimately it minimizes
[22:02.660 --> 22:05.560]  any impact that it's going to have on communities.
[22:05.560 --> 22:08.200]  I don't know that at the end of the day that's ultimately going
[22:08.200 --> 22:13.480]  to solve the problem with bias in facial recognition algorithms.
[22:13.480 --> 22:17.080]  We've seen a number of corporations over the last two months
[22:17.080 --> 22:23.460]  begin to pull away from their facial recognition products
[22:23.460 --> 22:27.800]  that were being sold or marketed to law enforcement.
[22:27.800 --> 22:31.120]  IBM, for example, has stepped back from it.
[22:31.120 --> 22:35.680]  As have Microsoft and Amazon, all making announcements.
[22:35.680 --> 22:39.020]  And we've seen several cities now and states begin to look
[22:39.020 --> 22:41.920]  at whether to ban facial recognition technology
[22:41.920 --> 22:43.960]  and its use by law enforcement.
[22:43.960 --> 22:46.460]  San Francisco's done it. Boston has done it.
[22:46.460 --> 22:50.180]  In fact, the Massachusetts legislature, it looks prime
[22:50.180 --> 22:54.440]  to ban it in the state for use by law enforcement.
[22:54.440 --> 22:58.020]  And I think there's no doubt that one of the primary factors
[22:58.020 --> 23:03.140]  that are motivating these companies as well as these governments
[23:03.140 --> 23:05.900]  to limit the use of facial recognition technology
[23:05.900 --> 23:10.240]  is they haven't often gotten the issue of bias
[23:10.240 --> 23:12.580]  along racial lines correct.
[23:12.580 --> 23:14.960]  And as long as that's there, we have to be mindful
[23:14.960 --> 23:18.200]  about rolling this technology out so that we don't end up
[23:18.200 --> 23:23.380]  in a world where we now have digital biometric technologies
[23:23.380 --> 23:29.680]  that essentially are discriminating against people of color
[23:29.680 --> 23:32.420]  in the same way that so many people of color have experienced
[23:32.420 --> 23:37.900]  for decades or centuries in this country.
[23:37.900 --> 23:43.880]  We don't want a world where one segment typically has to go
[23:43.880 --> 23:47.440]  through a secondary inspection or additional questions
[23:47.700 --> 23:54.020]  or is presumed guilty just by their image.
[23:54.020 --> 23:56.620]  That is the world that we're trying to avoid right now.
[23:56.620 --> 23:58.920]  And the last thing we want to do is hard-code that
[23:58.920 --> 24:03.880]  into the 21st century by beginning to deploy new technologies
[24:03.880 --> 24:06.980]  for the government to use that could ultimately
[24:06.980 --> 24:11.980]  disproportionately impact and be adverse to people of color.
[24:11.980 --> 24:21.060]  So you are really calling for, it's not a new discussion,
[24:21.060 --> 24:25.980]  but broadening the discussion, not just about privacy
[24:25.980 --> 24:29.880]  by design and looking at the privacy impacts
[24:29.880 --> 24:33.840]  of government use of certain technologies,
[24:33.840 --> 24:39.060]  but a specific focus on how the use of those technologies
[24:39.060 --> 24:43.940]  could have a disparate impact on marginalized
[24:43.940 --> 24:46.240]  or communities of color.
[24:46.240 --> 24:51.920]  Because if not, we risk using technology
[24:51.920 --> 24:56.120]  to further facilitate racism at scale.
[24:56.620 --> 24:57.780]  That's exactly right.
[24:57.780 --> 25:00.600]  These algorithms are created by humans.
[25:00.600 --> 25:03.260]  These humans may have biases or the way
[25:03.260 --> 25:06.620]  that the algorithm is trained could be biased.
[25:06.620 --> 25:08.400]  Those are easy examples.
[25:08.400 --> 25:11.100]  But what I am saying is we shouldn't just think
[25:11.100 --> 25:15.300]  about the impact of a program on this amorphous concept
[25:15.300 --> 25:18.360]  of privacy that really focuses on the privacy
[25:18.360 --> 25:19.300]  of the majority.
[25:19.300 --> 25:21.740]  When there is a disproportionate impact
[25:21.740 --> 25:26.240]  on vulnerable communities or disproportionate impact
[25:26.240 --> 25:31.960]  on historically disenfranchised or disadvantaged communities,
[25:31.960 --> 25:34.680]  we ought to be looking at that program
[25:34.680 --> 25:37.440]  and scrutinizing it even more.
[25:37.440 --> 25:39.280]  And I think that's what's missing right now.
[25:39.280 --> 25:41.320]  What's missing right now is we often just think
[25:41.320 --> 25:43.420]  about privacy writ large.
[25:43.420 --> 25:46.260]  We don't actually think about how the privacy
[25:46.260 --> 25:49.400]  of the minority is being disparaged
[25:49.400 --> 25:50.900]  by a particular program.
[25:50.900 --> 25:53.620]  The last thing we want to do is have a world
[25:53.620 --> 25:55.400]  where the privacy and civil liberties
[25:55.400 --> 25:57.740]  of the majority is protected while the privacy
[25:57.740 --> 26:01.180]  and civil liberties of the minority is disregarded
[26:01.180 --> 26:05.840]  or otherwise disproportionately impacted.
[26:05.840 --> 26:09.660]  We don't want privacy to be a luxury good to anyone.
[26:09.980 --> 26:10.840]  Right.
[26:11.120 --> 26:14.400]  And it, you know, at times it's had a tendency
[26:14.400 --> 26:17.000]  to be that way, unfortunately.
[26:17.520 --> 26:20.420]  So I'd like to now talk with you
[26:20.420 --> 26:24.060]  about a letter you wrote,
[26:24.060 --> 26:27.740]  I believe last month, because we're still in July,
[26:27.740 --> 26:30.800]  to the acting secretary of DHS
[26:30.800 --> 26:36.060]  in your official capacity as a PCLA board member.
[26:36.060 --> 26:40.080]  And you wrote to express your concerns
[26:40.080 --> 26:44.080]  and to raise questions about a DHS program
[26:44.080 --> 26:47.540]  requiring all air travelers to submit
[26:47.540 --> 26:51.380]  to mandatory DHS-administered temperature checks
[26:51.380 --> 26:56.700]  or thermal imaging before boarding a commercial airline.
[26:56.940 --> 27:00.700]  What were some of the concerns that you expressed
[27:00.700 --> 27:04.720]  in your letter to the acting secretary of DHS?
[27:04.720 --> 27:06.900]  And have you received a response?
[27:06.900 --> 27:11.280]  And my understanding also is that some members
[27:11.280 --> 27:14.140]  of Congress have now taken up this cause
[27:14.140 --> 27:16.040]  and concern with you.
[27:16.260 --> 27:19.360]  Yeah, I have several concerns about this program.
[27:19.360 --> 27:22.580]  The plan, as I understand it,
[27:22.580 --> 27:27.320]  is for the TSA to administer temperature checks
[27:27.320 --> 27:30.840]  at security checkpoints in airports.
[27:30.840 --> 27:33.200]  My understanding is that this has been requested
[27:33.200 --> 27:37.200]  by various airlines, in part because
[27:37.200 --> 27:38.840]  they don't want to administer them
[27:39.440 --> 27:41.680]  and because they don't want to pay
[27:42.240 --> 27:45.780]  for the temperature checks that would be administered.
[27:45.780 --> 27:50.340]  I have strong concerns about the efficacy
[27:50.860 --> 27:54.060]  of temperature checks or fever checks
[27:54.060 --> 28:01.100]  at detecting whether someone is infected with COVID-19.
[28:01.100 --> 28:03.500]  As you may know, there are many reasons
[28:03.500 --> 28:06.600]  why someone would have a fever.
[28:06.600 --> 28:09.160]  COVID-19 is one reason, but there are a host
[28:09.160 --> 28:12.520]  of other reasons that range from an illness
[28:12.520 --> 28:15.760]  to a condition, you know, a heart condition,
[28:15.760 --> 28:16.740]  for example.
[28:16.740 --> 28:19.640]  Or maybe the person had just been running
[28:19.640 --> 28:23.700]  through the airport to get from the check-in
[28:23.700 --> 28:27.580]  desk to their flight because they're late.
[28:27.580 --> 28:29.820]  I'm also equally concerned that if someone
[28:30.140 --> 28:32.920]  wanted to suppress their temperature
[28:32.920 --> 28:35.540]  or their fever, that that's also easy to do
[28:35.540 --> 28:38.380]  by taking aspirin or ibuprofen, for example,
[28:38.380 --> 28:40.080]  or just putting a little ice on your head
[28:40.080 --> 28:44.000]  for a little while before you walk up to the checkpoint.
[28:44.000 --> 28:46.820]  Thirdly, it's not apparent to me
[28:46.820 --> 28:51.420]  that TSA agents are trained in asking questions
[28:51.420 --> 28:54.420]  or administering public health examinations.
[28:54.420 --> 28:58.640]  And so, you know, it's not...
[28:58.640 --> 29:01.300]  I have no idea how TSA would plan
[29:01.300 --> 29:04.400]  to train these agents, whose mission
[29:04.400 --> 29:08.200]  is supposed to be the security of air travel,
[29:08.200 --> 29:11.280]  not necessarily the public health of air travel.
[29:11.280 --> 29:13.060]  I'm not saying that, you know, there aren't
[29:13.060 --> 29:14.940]  public health experts in the government
[29:14.940 --> 29:16.780]  that do have the training to do this.
[29:16.780 --> 29:18.920]  Namely, you know, the Center for Disease Control,
[29:18.920 --> 29:20.860]  the CDC, would have this expertise.
[29:20.860 --> 29:23.800]  But the CDC has already publicly stated,
[29:23.800 --> 29:25.840]  or at least, you know, information has been made
[29:25.840 --> 29:27.540]  publicly available, that they don't want
[29:27.540 --> 29:30.500]  to participate in this program because it's not effective.
[29:30.500 --> 29:32.820]  So there are concerns about efficacy.
[29:32.860 --> 29:34.460]  There are concerns about, you know,
[29:34.460 --> 29:36.720]  the authority that TSA has to administer
[29:36.720 --> 29:38.620]  this program. And there are also concerns
[29:38.620 --> 29:41.840]  about the government's collection of this information.
[29:41.840 --> 29:43.120]  What are they collecting?
[29:43.120 --> 29:45.880]  What are they going to do with this information?
[29:45.880 --> 29:48.160]  What database is it going to go into?
[29:48.160 --> 29:50.440]  And how is this going to impact travel?
[29:50.440 --> 29:53.180]  Are they going to ban individuals, passengers,
[29:53.180 --> 29:54.820]  from traveling for 14 days?
[29:54.820 --> 29:56.300]  Are they going to create a no-fly list
[29:56.300 --> 29:58.740]  or add you to the no-fly list?
[29:58.740 --> 30:02.600]  What happens if you come with a doctor's note
[30:02.600 --> 30:04.880]  that actually says, I just got tested yesterday
[30:04.880 --> 30:07.180]  and I don't have COVID-19 even though
[30:07.180 --> 30:08.660]  I have a fever?
[30:08.660 --> 30:10.700]  Or, more importantly, you know,
[30:10.700 --> 30:13.120]  who's going to reimburse the individual
[30:13.120 --> 30:15.460]  for the plane ticket that they won't be able to take?
[30:15.460 --> 30:17.160]  Are they going to be guaranteed refunds
[30:17.160 --> 30:19.200]  by TSA? Are they going to be guaranteed
[30:19.460 --> 30:20.640]  a seat in 14 days?
[30:20.640 --> 30:22.820]  What if they're going for their cancer treatment?
[30:22.820 --> 30:24.860]  Are they going to be denied access to the right
[30:24.860 --> 30:27.580]  to travel to their doctor?
[30:27.760 --> 30:30.460]  Or are they going to be, you know,
[30:30.460 --> 30:31.440]  told to just go home
[30:31.440 --> 30:33.020]  and stay at home and wait?
[30:33.020 --> 30:34.940]  It just seems that there are so many questions
[30:34.940 --> 30:36.800]  that not only haven't been answered
[30:36.800 --> 30:38.860]  about what they're collecting and what they're doing
[30:38.860 --> 30:40.100]  with this, but also the impacts
[30:40.100 --> 30:43.500]  and how this is going to impact the traveling public.
[30:43.500 --> 30:44.680]  I also have concerns
[30:44.680 --> 30:47.040]  about the disproportionate impact
[30:47.040 --> 30:48.520]  that this program may have
[30:48.520 --> 30:50.180]  on people of color.
[30:51.160 --> 30:52.740]  CDC has put out
[30:52.740 --> 30:54.660]  several reports on how
[30:54.660 --> 30:57.080]  COVID-19 is disproportionately
[30:57.080 --> 30:59.300]  impacting people of color.
[30:59.540 --> 31:01.160]  African Americans are more likely
[31:01.160 --> 31:03.280]  to die from COVID-19
[31:03.280 --> 31:05.640]  than are other groups.
[31:05.640 --> 31:07.420]  African Americans and Latinos
[31:07.420 --> 31:09.180]  are more likely to be hospitalized
[31:09.180 --> 31:11.240]  and Native Americans are more likely
[31:11.240 --> 31:12.900]  to be hospitalized than
[31:12.900 --> 31:15.180]  other groups. If we assume
[31:15.180 --> 31:17.520]  that COVID-19
[31:17.520 --> 31:19.560]  disproportionately impacts
[31:20.680 --> 31:21.420]  people
[31:21.420 --> 31:23.260]  of color, then we should assume
[31:23.260 --> 31:25.340]  that a program that is designed
[31:25.340 --> 31:27.600]  to root out COVID-19
[31:27.600 --> 31:29.220]  is going to ultimately
[31:29.220 --> 31:31.400]  end up disproportionately impacting
[31:31.400 --> 31:33.140]  people of color. And it is extremely
[31:33.140 --> 31:35.280]  troubling to me that the
[31:35.280 --> 31:37.100]  right to travel and travel by air
[31:37.100 --> 31:39.060]  when in many instances
[31:39.060 --> 31:41.440]  there isn't an adequate
[31:41.440 --> 31:42.160]  substitute
[31:43.020 --> 31:45.020]  that would be
[31:45.020 --> 31:47.360]  available to those folks,
[31:47.360 --> 31:48.840]  that they would somehow
[31:48.840 --> 31:51.320]  be denied the right to travel
[31:51.320 --> 31:53.380]  and that could impact your job,
[31:53.380 --> 31:55.200]  it could impact your health, it could
[31:55.200 --> 31:56.840]  impact your family or personal
[31:56.840 --> 31:58.520]  situation in ways
[31:58.520 --> 32:00.380]  that are, I think,
[32:00.780 --> 32:02.560]  potentially deeply troubling.
[32:02.560 --> 32:04.700]  And so I'm hopeful that
[32:04.700 --> 32:07.360]  DHS will rethink this program.
[32:07.360 --> 32:08.460]  Several members of Congress
[32:08.460 --> 32:10.720]  are also on both sides
[32:10.720 --> 32:13.280]  of the aisle, Republicans and Democrats,
[32:13.280 --> 32:14.940]  seem to be concerned not only about
[32:14.940 --> 32:16.660]  the efficacy but the impact on
[32:16.660 --> 32:18.520]  privacy and civil liberties of this program.
[32:18.520 --> 32:20.740]  And hopefully TSA and
[32:20.740 --> 32:22.680]  DHS will come to its senses and
[32:22.680 --> 32:24.700]  realize that it shouldn't be in the
[32:24.700 --> 32:26.500]  business of administering temperature checks
[32:26.500 --> 32:28.760]  in airports. And if they
[32:28.760 --> 32:31.140]  do want to actually increase
[32:31.140 --> 32:32.860]  the actual
[32:32.860 --> 32:34.860]  safety of
[32:34.860 --> 32:36.680]  air travel with respect to
[32:36.680 --> 32:38.820]  COVID-19, there are other measures
[32:38.820 --> 32:40.040]  that
[32:41.200 --> 32:42.640]  numerous experts
[32:42.640 --> 32:44.700]  have reported on that
[32:44.700 --> 32:47.200]  airlines, for example,
[32:47.200 --> 32:48.560]  could take to better
[32:48.560 --> 32:50.800]  secure air travel and to better
[32:50.800 --> 32:52.660]  ensure that it's a healthy experience for
[32:52.660 --> 32:54.460]  all passengers.
[32:55.640 --> 32:56.840]  Well, I
[32:56.840 --> 32:58.740]  look forward to
[32:58.740 --> 33:00.860]  what, if any, responses
[33:00.860 --> 33:02.880]  are forthcoming.
[33:04.520 --> 33:06.760]  So, as you mentioned
[33:06.760 --> 33:08.820]  before, the PCLOB
[33:08.820 --> 33:10.800]  had broad discretion and authority
[33:10.800 --> 33:12.680]  to conduct oversight and
[33:12.680 --> 33:14.620]  provide advice to the U.S. government with
[33:14.620 --> 33:16.460]  respect to the implementation of
[33:16.460 --> 33:18.500]  executive branch policies,
[33:18.500 --> 33:20.600]  procedures, regulations, and
[33:20.600 --> 33:22.320]  information-sharing practices
[33:22.320 --> 33:24.820]  relating to efforts to protect the nation
[33:24.820 --> 33:26.720]  from terrorism in order
[33:26.720 --> 33:28.700]  to ensure that privacy and civil
[33:28.700 --> 33:30.640]  liberties are protected.
[33:30.640 --> 33:32.240]  So, this authority
[33:32.240 --> 33:34.700]  therefore covers the activities
[33:34.700 --> 33:36.620]  of both law enforcement and
[33:36.620 --> 33:39.060]  intelligence agencies.
[33:39.100 --> 33:40.600]  And given the
[33:40.600 --> 33:42.520]  scope of the board's discretion
[33:42.520 --> 33:44.840]  within the context of terrorism
[33:44.840 --> 33:46.760]  programs, if you
[33:46.760 --> 33:48.640]  alone could determine the
[33:48.640 --> 33:51.300]  priorities for the PCLOB,
[33:51.300 --> 33:52.520]  what projects
[33:52.520 --> 33:55.740]  would you add to its current slate?
[33:56.260 --> 33:56.800]  That's a very
[33:56.800 --> 33:58.140]  good question.
[33:58.660 --> 34:00.600]  There are many. I think
[34:00.600 --> 34:02.940]  there are so many issues
[34:02.940 --> 34:04.980]  within our jurisdiction
[34:04.980 --> 34:06.960]  for us to look at
[34:06.960 --> 34:08.920]  that, you know, the challenge
[34:08.920 --> 34:10.600]  we really do face is balancing
[34:10.600 --> 34:12.880]  the limited resources
[34:12.880 --> 34:14.700]  we have with the projects
[34:14.700 --> 34:16.760]  that really do stand
[34:16.760 --> 34:18.440]  to benefit from oversight
[34:18.440 --> 34:20.700]  by the PCLOB. Among the
[34:20.700 --> 34:22.800]  topics that I would prioritize
[34:22.800 --> 34:25.370]  would be stingrays.
[34:25.420 --> 34:26.680]  Many folks may be
[34:26.680 --> 34:28.780]  aware of the
[34:28.780 --> 34:33.040]  existence of a
[34:33.040 --> 34:33.400]  cell
[34:33.400 --> 34:35.410]  site simulator technology
[34:35.840 --> 34:37.130]  that would
[34:37.420 --> 34:39.310]  allow someone
[34:39.420 --> 34:40.910]  to intercept
[34:41.680 --> 34:43.290]  telephone calls
[34:43.500 --> 34:44.820]  as well as text messages
[34:44.820 --> 34:47.060]  if they, you know, run
[34:47.360 --> 34:48.720]  a stingray near
[34:48.720 --> 34:50.980]  your location. I think
[34:50.980 --> 34:52.760]  it's important for us to examine
[34:52.760 --> 34:54.200]  the use of stingrays
[34:54.800 --> 34:56.980]  by the intelligence
[34:56.980 --> 34:58.920]  community and the efforts to protect
[34:58.920 --> 35:00.020]  the nation against
[35:00.680 --> 35:02.520]  terrorism. I'd also
[35:02.520 --> 35:05.040]  think that there'd be some value in the PCLOB
[35:05.040 --> 35:06.040]  looking at
[35:06.900 --> 35:07.500]  when
[35:08.700 --> 35:11.040]  components of the U.S. government decide
[35:11.040 --> 35:12.920]  to use hacking tools
[35:12.920 --> 35:15.180]  and beginning to think about what standards
[35:15.180 --> 35:17.000]  are around those, who they can be used
[35:17.000 --> 35:18.640]  against, what
[35:18.640 --> 35:21.080]  approvals need to be put in place,
[35:21.080 --> 35:22.480]  how they can be secured
[35:23.000 --> 35:25.020]  to ensure that they don't get into the
[35:25.020 --> 35:26.880]  hands of an adversary, which
[35:26.880 --> 35:28.620]  unfortunately we've seen
[35:28.620 --> 35:30.820]  happen more than
[35:30.820 --> 35:33.120]  once. Thirdly,
[35:33.740 --> 35:34.920]  I'd want to look at
[35:35.120 --> 35:36.820]  a full review of the Foreign Intelligence
[35:36.820 --> 35:38.980]  Surveillance Act, FISA. I think there are
[35:39.200 --> 35:40.900]  a lot of issues there
[35:40.900 --> 35:42.320]  that we could
[35:42.860 --> 35:44.680]  explore. Everything from
[35:44.680 --> 35:46.620]  the use of foreign intelligence
[35:46.620 --> 35:48.940]  surveillance information in
[35:48.940 --> 35:50.980]  criminal prosecutions to
[35:50.980 --> 35:52.100]  the approvals
[35:52.580 --> 35:54.960]  for those authorities by courts,
[35:54.960 --> 35:56.520]  whether intelligence courts
[35:56.520 --> 35:58.120]  or
[35:58.940 --> 36:00.400]  traditional Article III
[36:00.780 --> 36:02.380]  federal courts, your normal
[36:02.380 --> 36:04.640]  U.S. District Court, to
[36:04.640 --> 36:06.800]  looking at the
[36:06.800 --> 36:08.400]  amicus program
[36:08.400 --> 36:10.540]  that operates
[36:10.540 --> 36:12.580]  under FISA. But I think there's just a lot
[36:12.580 --> 36:13.980]  of work around FISA
[36:13.980 --> 36:16.500]  for the board to do, and that itself
[36:16.500 --> 36:18.520]  could be full-time. I'd
[36:18.520 --> 36:20.500]  also want to look at domestic
[36:20.500 --> 36:22.380]  terrorism issues. Typically, the board
[36:22.380 --> 36:24.640]  in the past has spent almost all of its energy
[36:24.640 --> 36:26.580]  focused, if not all of it, focused
[36:26.580 --> 36:28.500]  on foreign terrorism, yet we know that
[36:28.500 --> 36:30.460]  the number one threat to U.S.
[36:30.460 --> 36:32.500]  persons is actually domestic terrorism. This
[36:32.500 --> 36:34.740]  has been the case for centuries.
[36:34.740 --> 36:36.400]  This isn't a new
[36:36.400 --> 36:38.580]  evolution, and in fact, every year
[36:38.580 --> 36:40.420]  it's a greater threat. But
[36:40.420 --> 36:42.200]  we don't spend a lot of time really
[36:42.200 --> 36:44.300]  looking at the privacy
[36:44.300 --> 36:46.540]  and civil liberties impacts around
[36:46.540 --> 36:49.060]  the domestic terrorism.
[36:49.060 --> 36:50.400]  And then, I think probably
[36:50.400 --> 36:52.380]  finally, I'd want to look
[36:52.380 --> 36:53.860]  at the sharing of
[36:54.480 --> 36:56.140]  national security information
[36:56.140 --> 36:58.640]  with non-national
[36:58.640 --> 37:00.300]  security agencies,
[37:00.300 --> 37:02.260]  such as immigration
[37:02.260 --> 37:04.080]  and customs
[37:04.080 --> 37:05.200]  enforcement.
[37:05.840 --> 37:07.880]  Really beginning to think about
[37:07.880 --> 37:10.100]  the extent to which national security
[37:10.100 --> 37:11.900]  authorities are being used
[37:11.900 --> 37:13.720]  for non-national security
[37:13.720 --> 37:15.820]  purposes. And I think that's an
[37:15.820 --> 37:16.460]  important
[37:18.220 --> 37:19.960]  task for us to take because
[37:19.960 --> 37:21.920]  more and more government databases
[37:21.920 --> 37:24.240]  are being created that are intended to integrate
[37:24.240 --> 37:26.040]  consolidate information
[37:26.040 --> 37:28.060]  from a lot of sources, and once they're
[37:28.060 --> 37:30.020]  in there, they're very hard to get out. It's sticky
[37:30.580 --> 37:32.060]  data once it's in there.
[37:32.060 --> 37:34.260]  So I think it's important for us to get a greater
[37:34.260 --> 37:36.120]  understanding of a lot of these
[37:36.120 --> 37:38.300]  intelligence-sharing authorities and tools
[37:38.300 --> 37:40.000]  that are being used.
[37:40.120 --> 37:41.760]  Well, that is certainly
[37:43.920 --> 37:44.280]  a worthwhile
[37:44.280 --> 37:45.900]  and very
[37:45.900 --> 37:48.080]  expansive list of
[37:48.080 --> 37:50.020]  projects. I will just
[37:50.020 --> 37:51.960]  take moderator's privilege and say
[37:51.960 --> 37:53.960]  perhaps that is an argument for more
[37:53.960 --> 37:55.840]  resources for the Privacy and Civil
[37:55.840 --> 37:57.680]  Liberties Oversight Board.
[37:58.760 --> 37:59.600]  So,
[37:59.600 --> 38:01.620]  I'll piggyback
[38:01.620 --> 38:03.480]  that comment to the next
[38:03.480 --> 38:05.380]  question and say
[38:05.380 --> 38:07.760]  given the Privacy and Civil
[38:07.760 --> 38:09.640]  Liberties concerns that spring
[38:09.640 --> 38:11.600]  from law enforcement use of
[38:11.600 --> 38:14.500]  new and emerging technologies,
[38:14.500 --> 38:15.060]  you've
[38:15.560 --> 38:17.680]  talked about a number of examples,
[38:17.680 --> 38:19.460]  facial recognition, other biometric
[38:19.460 --> 38:21.380]  technologies, big data
[38:21.380 --> 38:23.360]  analytics, you mentioned stingrays
[38:23.360 --> 38:25.860]  in a counterterrorism
[38:25.860 --> 38:28.120]  or terrorism-focused context,
[38:28.120 --> 38:30.260]  but could you see an important
[38:30.260 --> 38:32.160]  role for the PCOB to
[38:32.160 --> 38:34.320]  play beyond the specific
[38:34.320 --> 38:36.240]  frame of privacy
[38:36.240 --> 38:38.160]  and civil liberties in the
[38:38.160 --> 38:40.140]  context of protecting our nation
[38:40.140 --> 38:42.080]  from terrorism? And I guess
[38:42.080 --> 38:44.200]  what I'm asking is, should
[38:44.200 --> 38:46.200]  Congress expand the
[38:46.200 --> 38:47.540]  PCOB's jurisdiction
[38:47.880 --> 38:50.060]  to oversee and address
[38:50.060 --> 38:52.300]  privacy and civil liberties
[38:52.300 --> 38:54.100]  concerns beyond
[38:54.100 --> 38:56.080]  that reach
[38:56.080 --> 38:58.140]  beyond the nation's counterterrorism
[38:58.140 --> 39:00.280]  efforts? Well, look,
[39:00.280 --> 39:02.220]  far be it for me to
[39:03.580 --> 39:04.340]  decide
[39:04.340 --> 39:06.120]  for Congress what
[39:06.120 --> 39:08.140]  the jurisdiction of our agency should
[39:08.140 --> 39:10.340]  be. You know, that's a
[39:10.340 --> 39:12.640]  question for Congress
[39:12.640 --> 39:14.440]  and, you know, they
[39:14.440 --> 39:16.920]  regularly consider it.
[39:16.920 --> 39:20.000]  In my view,
[39:20.000 --> 39:20.480]  privacy
[39:20.480 --> 39:22.580]  and civil liberties
[39:22.580 --> 39:24.360]  concerns have only
[39:24.360 --> 39:25.040]  increased
[39:26.260 --> 39:28.080]  over the last
[39:28.080 --> 39:30.640]  decade or two decades.
[39:30.640 --> 39:32.600]  And those concerns about
[39:32.600 --> 39:34.260]  government or even
[39:34.260 --> 39:35.480]  corporate surveillance
[39:35.480 --> 39:37.780]  are such that
[39:38.440 --> 39:40.220]  there needs to be
[39:40.220 --> 39:41.300]  some agency
[39:42.240 --> 39:44.320]  that is looking
[39:44.320 --> 39:46.820]  into those issues.
[39:46.820 --> 39:48.680]  One easy example
[39:48.680 --> 39:50.820]  of that is,
[39:50.820 --> 39:52.180]  you know, everything that's happening
[39:52.180 --> 39:53.740]  right now in COVID-19
[39:53.900 --> 39:56.380]  and the pandemic. You know, we have
[39:57.020 --> 39:58.340]  a lot of debate right now
[39:58.340 --> 39:59.880]  about contact tracing
[39:59.880 --> 40:02.020]  and a lot of debate about what
[40:02.020 --> 40:03.960]  authorities are needed for
[40:03.960 --> 40:06.140]  public health agencies
[40:06.140 --> 40:07.780]  to collect
[40:07.780 --> 40:10.680]  data about each of us
[40:10.680 --> 40:12.240]  not only to help
[40:12.240 --> 40:13.820]  find a vaccine
[40:13.820 --> 40:15.840]  but also to
[40:15.840 --> 40:18.080]  be able to go back
[40:18.080 --> 40:20.160]  and contact individuals
[40:20.160 --> 40:21.880]  that someone who's
[40:21.880 --> 40:23.900]  infected may have been in
[40:23.900 --> 40:26.000]  touch with the prior 14
[40:26.000 --> 40:27.960]  days. There are
[40:28.400 --> 40:29.540]  a lot of
[40:30.240 --> 40:31.900]  expansive authorities
[40:31.900 --> 40:33.700]  that are being used by government agencies
[40:33.700 --> 40:35.840]  because we are in a pandemic.
[40:35.840 --> 40:38.040]  Quarantine, for example.
[40:38.040 --> 40:39.840]  You know, I mean, imagine the impact of a quarantine
[40:39.840 --> 40:42.180]  on privacy and civil liberties.
[40:42.180 --> 40:43.740]  Yet we don't actually have
[40:43.740 --> 40:45.880]  an agency in the
[40:45.880 --> 40:47.480]  federal government that's tasked
[40:47.480 --> 40:49.740]  with looking at the privacy and civil
[40:49.740 --> 40:51.580]  liberties impacts of all the
[40:51.580 --> 40:53.600]  activities around the pandemic.
[40:53.600 --> 40:55.520]  What agency is going
[40:55.520 --> 40:57.500]  to look at that, for example?
[40:57.500 --> 40:59.060]  And we don't have agencies
[40:59.060 --> 41:01.480]  that are devoted towards looking
[41:01.480 --> 41:03.220]  at the privacy,
[41:03.220 --> 41:05.120]  independently looking at the privacy
[41:05.120 --> 41:07.080]  and civil liberties
[41:07.080 --> 41:09.440]  impacts of the general
[41:09.440 --> 41:11.480]  activities of the Federal Bureau of Investigation
[41:11.480 --> 41:13.660]  for example. So at least
[41:13.660 --> 41:15.620]  in my view, I think it's high time
[41:15.620 --> 41:18.320]  for the United States to have two things.
[41:18.320 --> 41:19.600]  One is
[41:19.600 --> 41:21.400]  you know, a basic
[41:21.400 --> 41:24.040]  federal privacy legislation.
[41:24.040 --> 41:25.520]  We need it. And number two
[41:25.520 --> 41:27.600]  is, you know, an agency
[41:27.600 --> 41:29.660]  or more, or two
[41:29.660 --> 41:31.260]  you know, choose the number of agencies
[41:31.260 --> 41:33.500]  that are committed to the task of
[41:33.500 --> 41:35.400]  protecting the privacy
[41:35.400 --> 41:37.380]  and civil liberties of
[41:37.380 --> 41:39.680]  the U.S. public. And that may
[41:39.680 --> 41:41.780]  be in the corporate, but it also, frankly
[41:41.780 --> 41:43.460]  should be in government.
[41:43.460 --> 41:45.280]  And making sure that there is some
[41:45.280 --> 41:47.400]  independent check out there on
[41:47.400 --> 41:49.220]  the expansive use of
[41:49.220 --> 41:51.520]  surveillance authorities, whether or not
[41:51.520 --> 41:52.740]  they involve
[41:53.400 --> 41:54.300]  terrorism.
[41:57.000 --> 41:59.460]  So switching gears a bit,
[41:59.460 --> 42:01.360]  as we mentioned at the beginning,
[42:01.360 --> 42:03.600]  in addition to your role as a PCAW
[42:03.600 --> 42:05.240]  board member, you're a partner
[42:05.240 --> 42:07.100]  at the Cooley Law Firm with
[42:07.100 --> 42:09.280]  very interesting privacy and cyber security
[42:09.280 --> 42:11.600]  practice. And of course, as a
[42:11.600 --> 42:13.220]  practicing lawyer, everything you do
[42:13.220 --> 42:15.320]  in that role is not public
[42:15.320 --> 42:17.300]  and in addition, due to
[42:17.300 --> 42:19.440]  obligations to your clients,
[42:19.440 --> 42:21.340]  there are limitations on what
[42:21.340 --> 42:23.380]  you can discuss publicly.
[42:23.380 --> 42:25.220]  However, there are
[42:25.220 --> 42:27.440]  two interesting cases involving
[42:27.440 --> 42:29.400]  the Computer Fraud
[42:29.400 --> 42:31.080]  and Abuse Act that you've been
[42:31.080 --> 42:32.960]  litigating, that have received
[42:32.960 --> 42:35.220]  some press coverage.
[42:35.220 --> 42:37.220]  And to my knowledge, these
[42:37.220 --> 42:39.220]  are the first two cases of
[42:39.220 --> 42:40.860]  their kind. So
[42:40.860 --> 42:42.580]  the first case that
[42:42.580 --> 42:44.720]  I'm going to refer to is the Broidy
[42:44.720 --> 42:47.040]  case, where on behalf of Mr.
[42:47.040 --> 42:48.520]  Broidy, you sued the
[42:48.520 --> 42:50.920]  country of Qatar and a number
[42:50.920 --> 42:52.980]  of individuals for their role
[42:52.980 --> 42:54.540]  in hacking and leaking
[42:54.540 --> 42:56.900]  Mr. Broidy's email. And as
[42:56.900 --> 42:59.860]  one news outlet reported,
[42:59.860 --> 43:00.360]  quote,
[43:00.360 --> 43:02.400]  this is a case about a hostile
[43:02.740 --> 43:03.980]  intelligence operation
[43:04.640 --> 43:06.720]  undertaken by a foreign nation
[43:06.720 --> 43:08.520]  against American citizens
[43:08.520 --> 43:10.740]  who have spoken out against
[43:10.740 --> 43:12.640]  that country's support for
[43:12.640 --> 43:14.540]  terrorism and who have entered into
[43:14.540 --> 43:16.460]  significant business relationships
[43:16.460 --> 43:18.480]  relating to defense and
[43:18.480 --> 43:20.460]  counterterrorism with a rival
[43:20.460 --> 43:22.920]  nation. The other case
[43:22.920 --> 43:24.400]  involves
[43:25.160 --> 43:26.380]  a lawsuit by WhatsApp
[43:26.380 --> 43:29.040]  against the NSO group,
[43:29.040 --> 43:30.620]  an Israeli-based spyware
[43:30.620 --> 43:32.730]  firm, alleging that NSO's
[43:33.580 --> 43:34.920]  Pegasus spyware
[43:34.920 --> 43:36.420]  was, among other
[43:36.420 --> 43:38.560]  things, used to hack phone
[43:38.560 --> 43:40.740]  systems of 1,400 users
[43:40.740 --> 43:42.960]  between April 2019
[43:42.960 --> 43:45.800]  and May 2019.
[43:45.800 --> 43:46.580]  There
[43:46.580 --> 43:48.260]  are very interesting aspects
[43:48.260 --> 43:50.500]  of both of these cases, but
[43:50.500 --> 43:52.800]  let me ask
[43:52.800 --> 43:54.660]  you, because these
[43:54.660 --> 43:56.520]  cases illustrate how
[43:56.520 --> 43:58.760]  foreign governments are increasingly
[43:58.760 --> 44:00.600]  attacking individuals
[44:02.220 --> 44:02.700]  hacking
[44:03.180 --> 44:04.660]  their phone
[44:04.660 --> 44:06.640]  networks. What do you think
[44:06.640 --> 44:08.940]  we should do about this problem?
[44:09.820 --> 44:10.680]  There is
[44:10.680 --> 44:12.640]  no doubt that
[44:12.640 --> 44:14.860]  numerous nation states
[44:14.860 --> 44:16.300]  are targeting
[44:16.300 --> 44:17.740]  U.S. persons
[44:18.560 --> 44:19.900]  and corporations
[44:20.740 --> 44:21.500]  in
[44:22.740 --> 44:25.100]  hacking campaigns.
[44:25.680 --> 44:26.480]  Not only are they
[44:26.480 --> 44:28.700]  you know, sometimes they are doing
[44:28.700 --> 44:29.640]  this to
[44:30.740 --> 44:31.280]  gain
[44:32.600 --> 44:33.480]  access
[44:33.480 --> 44:35.420]  to embarrassing information about
[44:35.420 --> 44:37.140]  an individual and then to
[44:37.140 --> 44:39.240]  release it.
[44:39.240 --> 44:41.420]  Other times, they are
[44:41.420 --> 44:43.180]  using it to gain access to the
[44:43.180 --> 44:45.560]  intellectual property of a company
[44:45.560 --> 44:47.080]  which they will
[44:47.080 --> 44:48.700]  exploit, either by
[44:49.240 --> 44:51.360]  giving it to a competitor or
[44:51.360 --> 44:53.260]  releasing it. Other
[44:53.260 --> 44:55.200]  times, they are gaining
[44:55.200 --> 44:57.480]  it to... seeking access
[44:57.480 --> 44:59.060]  to engage in a disinformation
[44:59.060 --> 45:00.500]  campaign.
[45:00.520 --> 45:02.940]  All the while, no matter
[45:02.940 --> 45:05.550]  how much a
[45:05.780 --> 45:07.450]  company or individual
[45:07.960 --> 45:10.460]  invests in
[45:10.460 --> 45:12.160]  cyber security
[45:12.160 --> 45:14.300]  protections and safeguards,
[45:14.300 --> 45:15.900]  many of these nation states
[45:15.900 --> 45:18.920]  have almost unlimited resources
[45:18.920 --> 45:20.080]  and ability
[45:20.080 --> 45:21.800]  to continue to target
[45:21.800 --> 45:23.760]  that entity.
[45:23.760 --> 45:26.200]  Even when you have the best security,
[45:26.200 --> 45:26.960]  they are likely at
[45:26.960 --> 45:28.960]  some point to find
[45:29.300 --> 45:30.980]  a way in. And that
[45:30.980 --> 45:33.000]  way in may not be
[45:33.000 --> 45:35.100]  through the CEO.
[45:35.120 --> 45:37.080]  That way in may be through
[45:37.080 --> 45:38.740]  the CEO's executive assistant
[45:38.740 --> 45:40.500]  or the
[45:41.500 --> 45:42.360]  CISO's
[45:43.040 --> 45:45.060]  spouse may be a way
[45:45.060 --> 45:46.920]  in there. These are
[45:46.920 --> 45:48.720]  sophisticated campaigns
[45:48.720 --> 45:50.800]  that are being engaged
[45:50.800 --> 45:53.220]  in against
[45:53.220 --> 45:54.620]  Americans.
[45:54.620 --> 45:56.720]  And when
[45:58.060 --> 45:58.740]  these
[45:58.740 --> 46:00.960]  are brought to the attention of law enforcement,
[46:00.960 --> 46:02.700]  they're limited in what they
[46:02.700 --> 46:04.640]  can do. Yes, it's
[46:04.640 --> 46:05.960]  possible to indict
[46:06.960 --> 46:08.540]  a Chinese person or two or
[46:08.540 --> 46:10.500]  three. And someday
[46:10.500 --> 46:12.480]  those people may be brought
[46:12.480 --> 46:14.620]  to justice. But today, that's
[46:14.620 --> 46:15.920]  not going to stop that company
[46:16.500 --> 46:18.380]  that's been impacted by this
[46:18.380 --> 46:20.820]  from having
[46:21.160 --> 46:22.560]  a lot of trouble
[46:22.560 --> 46:23.820]  as a result of
[46:24.220 --> 46:26.200]  the hack. And
[46:26.200 --> 46:28.320]  unfortunately, litigation too
[46:28.320 --> 46:30.360]  has its limitations
[46:30.360 --> 46:32.560]  due to a law
[46:32.560 --> 46:34.340]  called the
[46:35.780 --> 46:36.780]  Foreign
[46:36.780 --> 46:38.640]  Sovereign
[46:38.640 --> 46:40.960]  Immunity Act.
[46:40.960 --> 46:42.520]  The acronyms are all
[46:42.520 --> 46:44.800]  the same, the Foreign Sovereign Immunity Act,
[46:44.800 --> 46:45.300]  which
[46:46.620 --> 46:48.640]  essentially gives any
[46:48.640 --> 46:50.660]  foreign government immunity
[46:50.660 --> 46:52.240]  from litigation
[46:52.240 --> 46:54.600]  in the United States with a couple
[46:54.600 --> 46:56.520]  of exceptions.
[46:56.520 --> 46:58.800]  It is now time for the United
[46:58.800 --> 47:00.160]  States to really rethink
[47:00.740 --> 47:02.720]  the Foreign Sovereign
[47:02.720 --> 47:04.920]  Immunity Act and to rethink
[47:04.920 --> 47:06.680]  the extent to which
[47:06.680 --> 47:08.920]  it ought to be used
[47:08.920 --> 47:10.940]  as a defense by
[47:10.940 --> 47:12.520]  foreign nation states that
[47:12.520 --> 47:14.400]  hack U.S. civilians
[47:14.400 --> 47:17.040]  and U.S. corporations.
[47:17.260 --> 47:18.780]  And unless the government really
[47:18.780 --> 47:21.260]  steps up to protect us,
[47:21.260 --> 47:22.800]  we are all limited
[47:22.800 --> 47:24.860]  in our ability to do
[47:24.860 --> 47:26.480]  that. There has been
[47:27.620 --> 47:28.840]  some legislative
[47:28.840 --> 47:29.900]  movement on the Hill
[47:29.900 --> 47:32.460]  looking at this particular issue
[47:32.460 --> 47:34.560]  in Washington, D.C. I'm hopeful
[47:34.560 --> 47:36.740]  that Congress will be able to
[47:36.740 --> 47:38.320]  address this issue because
[47:38.740 --> 47:40.560]  it's not just that the privacy
[47:40.560 --> 47:42.660]  of U.S. persons is being
[47:42.660 --> 47:45.200]  put in jeopardy, but there are
[47:45.200 --> 47:46.820]  hundreds of millions, if
[47:46.820 --> 47:48.720]  not billions of dollars that are
[47:48.720 --> 47:51.060]  also being put in jeopardy as a
[47:51.060 --> 47:53.300]  result of the ability of foreign nation states,
[47:53.300 --> 47:55.720]  rogue nations, as well to
[47:55.720 --> 47:57.340]  target U.S. persons
[47:57.340 --> 47:59.000]  and companies for
[47:59.000 --> 48:03.860]  cyber attacks.
[48:06.500 --> 48:09.800]  This is a complicated problem to solve
[48:09.800 --> 48:11.240]  and I imagine
[48:11.760 --> 48:14.680]  in addition to
[48:14.680 --> 48:14.880]  what you
[48:14.880 --> 48:16.360]  have mentioned,
[48:16.760 --> 48:18.960]  we're going to have to
[48:18.960 --> 48:20.780]  consider
[48:20.780 --> 48:23.100]  how this reflects
[48:23.100 --> 48:25.400]  of course on U.S.
[48:25.400 --> 48:26.600]  policy as well
[48:26.600 --> 48:28.620]  and how we
[48:28.620 --> 48:29.380]  engage
[48:30.780 --> 48:32.900]  and use our capabilities
[48:32.900 --> 48:33.980]  with respect to
[48:34.780 --> 48:35.240]  other
[48:36.820 --> 48:39.200]  people in other foreign nations.
[48:39.200 --> 48:40.700]  So I will not
[48:40.700 --> 48:42.680]  elaborate beyond that, but
[48:42.680 --> 48:43.920]  I want to very much
[48:44.500 --> 48:46.040]  thank you for your time
[48:46.820 --> 48:48.540]  and giving us
[48:48.540 --> 48:50.900]  some deeper insight
[48:50.900 --> 48:52.560]  into the work of the Privacy
[48:52.560 --> 48:55.220]  and Civil Liberties Oversight Board.
[48:55.280 --> 48:56.500]  Hope to continue
[48:56.500 --> 48:58.360]  this conversation with you
[48:58.360 --> 49:01.020]  in person, maybe in Vegas next year.
[49:01.380 --> 49:02.740]  Thank you so much,
[49:02.740 --> 49:04.140]  Stephanie. It was great
[49:04.140 --> 49:06.280]  to see you. A wonderful conversation
[49:06.280 --> 49:08.360]  and I too hope we can continue
[49:08.360 --> 49:10.900]  this conversation next year in Vegas.
[49:10.900 --> 49:12.840]  Take care.
